| Version | Supported |
|---|---|
| 1.x.x | ✅ |
We take security seriously. If you discover a security vulnerability within PAN, please follow these steps:
Security vulnerabilities should not be disclosed publicly until they have been addressed.
Send a detailed report to the repository owner via GitHub private message or create a GitHub Security Advisory.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity (Critical: 24-72 hours, High: 1-2 weeks)
We believe in recognizing security researchers who help us:
- Credit in CHANGELOG.md (if desired)
- Acknowledgment in security advisory
- Hall of Fame on repository
PAN was designed with security as the primary goal:
Protected Against:
- Session hijacking via XSS
- Cookie theft and replay
- Man-in-the-middle session attacks
- Browser extension key extraction
- Memory scraping for session tokens
Not Protected Against:
- Social engineering (user performs action themselves)
- Pre-authentication attacks (credential phishing)
- Physical device compromise with keylogger
- Nation-state browser 0-days
- Origin Isolation: Signing iframe on separate subdomain
- Non-Extractable Keys: WebCrypto enforcement prevents key export
- Interaction Proofs: Human behavior validation
- Single-Use Nonces: Replay attack prevention
- Cryptographic Binding: ECDSA P-256 signatures
When deploying PAN:
- ✅ Always use HTTPS for all origins
- ✅ Set proper CSP headers
- ✅ Use HttpOnly, Secure, SameSite=Strict cookies
- ✅ Configure short nonce TTLs (≤5 minutes)
- ✅ Monitor and alert on signature failures
- ✅ Implement rate limiting
- ✅ Use Redis with authentication
- ✅ Keep dependencies updated
- 2026-01: Initial security review
- More audits pending
Thank you for helping keep PAN and its users safe!